Getting justice in cyber crime is difficult

If you’re a victim of cyber crime, the chances are you might have to pay for all the fraudulent transactions charged to your debit or credit card, as it will be difficult to prove laxity of the bank.

Banks usually get away by saying their system is secure and a transaction cannot take place unless the card and personal identification number (PIN) or one-time password (OTP) are used together. So, if a fraudulent transaction has occurred, they claim it is due to the customer’s negligence because only the customer is privy to the PIN or OTP.

“While the law has provisions to punish offenders severely, it is hostile towards consumers as the onus is on them to prove that the bank is wrong," says Pavan Duggal, a cyber law expert. He points out that the Information Technology Act, 2000 allows an individual to seek unlimited compensation if the intermediaries (banks) don’t have enough security and procedure to protect customers’ data. “But, proving that a bank didn’t have adequate security is a tall order," adds Duggal.

There are, however, some situations where you can shift the onus on to the bank. If a person’s card is used on a foreign website fraudulently, and no OTP was sent, it can work in favour of the individual. The mandatory two-factor authentication, which requires an OTP to be sent to the account owner’s mobile to authenticate a transaction, only works for payments within India. Many criminals, therefore, transact using the cards on foreign websites. The payment goes through without any OTP – just by entering the card details. “This is in direct violation to the Reserve Bank of India’s guidelines and it should tilt the case in the victim’s favour," says Jehangir Gai, a consumer activist.

If an individual can prove in court that the fraud has occurred despite taking all the required precautions, it can put the onus on the bank to prove the customer is at fault, says Prashant Mali, a cyber-security expert. “If the money is transferred to another account, then one should focus on whether the bank followed the know-your-customer (KYC) norms for the account where money was transferred. It’s likely that the bank had flouted KYC procedures. No one would defraud another person by giving real credentials," says Mali.

Courts have also ruled in favour of the victim when the complainant had brought similar cases against the bank in the same period to its notice. This indicates there is a lapse in the bank’s security and procedures. When you are filing a police complaint about unauthorised transactions on your card, inquire with the police officials if there were similar cases against your bank in the recent past. If there are, cite them in the court.

There are also chances of getting a favourable judgment if your card was used outside the country. In the past, there have been cases where fraudsters used the card outside the country while the customer was in India. As the victim’s passport supported this, banks were asked to reverse all the transactions.

VICTIM CAN PUT ONUS ON THE BANK BY… Proving the fraudulent transaction went through without OTP, such as those on foreign websites